Open muges01 opened 5 years ago
I have tested this on a tenant which don't have MSA enable and it is working fine.
Looks like the issue is with the tenant which has the MSA enabled.
Thank you
Looking for an update on this, encountering the same issue.
Same issue for me too, Worse than that : I tried to apply the starter kit in a new Office 365 tenant (created with the developer program, so without MSA enabled) and I have the same behavior...
Anybody found any solution for this issue yet?
Anybody found any solution for this issue yet?
Unfortunately, no. Nothing yet.
Thank you @JeremySColeman I hope someone will be able to help us here. It's looks like something to do with MSA enabled environment.
Hi @VesaJuvonen
I have run the script again and this is the exception details
Please let me know, if you need any further information.
Hi @muges01 - this indicates either two things. You do not have app catalog created in your tenant OR you do not have site collection administrator permissions in the app catalog for some reason. Can you check those. Thx.
Hi @VesaJuvonen
I have the same error as @muges01 despite the fact that I am administrator (both site collection and tenant) and I have an App Catalog...
Hi @VesaJuvonen,
I have checked the two things that you have asked me clarify.
Please let me know, if you need any other details.
Thank you
thank you @michaelmaillot for info
Hi @muges01 - this indicates either two things. You do not have app catalog created in your tenant OR you do not have site collection administrator permissions in the app catalog for some reason. Can you check those. Thx.
@VesaJuvonen In my case I am not only a Global Admin but also an explicit Site Collection administrator for all collections on the tenant. Our App Catalog is several years old and has several apps installed. Additionally I verified that I am an Term Store admin and the user profile attribute was created prior to testing.
I tested with my admin account as well as with the default tenant admin account, no luck.
Thanks for the assistance!
@muges01 - Can you test following - ensure that you do not have the sppkg file in the app catalog... so delete if it's there. Try re-installation. Share the app catalog status and if the sppkg file is now there.
@JeremySColeman - Can you share the exception details what you get... or is that the same as what was already mentioned above.
Thx.
Hi @VesaJuvonen ,
Sorry for the delay, I have checked my app catalog and there is no sppkg file been deployed.
Thank you
Hi @muges01 To make sure we can (from code) actually resolve the URL of the appcatalog, can you in PowerShell execute the following cmdlet:
Get-PnPTenantAppCatalogUrl
It should return the url to your appcatalog site.
Hi @erwinvanhunen ,
Here is the url of my app catalog https://[tenant].sharepoint.com/sites/appcatalog
Thank you
@muges01 - Can you test following - ensure that you do not have the sppkg file in the app catalog... so delete if it's there. Try re-installation. Share the app catalog status and if the sppkg file is now there.
@JeremySColeman - Can you share the exception details what you get... or is that the same as what was already mentioned above.
Thx.
The exception I get is identical to the original post screenshot
Hi @VesaJuvonen,
Any updates regarding this issue?
Thank you in advanced
Hi @VesaJuvonen
I have the same issue. If its any help, - it seems that the 403 comes from a POST to /_vti_bin/sites.asmx method GetUpdatedFormDigestInformation ?
Thanks :-)
Hi guys,
Any updates on this issue? It's been so long, any suggestion for work around will be good as well.
I noticed that Apply-PnPProvisioningHierarchy has been deprecated. So I tried Apply-PnPTenantTemplate instead, but with same outcome. 403 on POST to /_vti_bin/sites.asmx.
hi @VesaJuvonen,
Is there any update on this issue?
Any update on this? I've received both 401 and 403 errors.
We are trying to repro this. Anyone up for a remote desktop session where we look into your issue from a debug side of the story?
We are trying to repro this. Anyone up for a remote desktop session where we look into your issue from a debug side of the story?
@erwinvanhunen I am getting this now. Can do RD session.
@erwinvanhunen I also can do screen share session as well.
Using App Password works fine.
Ex: Connect-PnPOnline -Url $tenant-admin.sharepoint.com -Credentials (Get-Credential)
and use your App Password
I get (403) Forbidden when I connect using Connect-PnPOnline -UseWebLogin
And (401) Unauthorized when I connect using Connect-PnPOnline -AppId $appId -AppSecret $appSecret
I am guessing that the token returned from ... -UseWebLogin
request is connected to $tenant-admin.sharepoint.com
and can not be used for SPWebs in <SiteCollections>
node.
Hi @maxali,
So if we use the app password, we should be able to install the starter kit without any issue. Is that correct?
Hi @maxali,
So if we use the app password, we should be able to install the starter kit without any issue. Is that correct?
It seems so @muges01 . I got it working with App Password.
Hi @maxali ,
I tried to use the App Password i'm not getting 403 Forbidden error anymore but i i'm getting the following error
What am i missing here?
@muges01 Can you send me private message on https://techcommunity.microsoft.com/t5/user/viewprofilepage/user-id/122 so we can setup a time and date for the screensharing?
Hi @erwinvanhunen ,
I have send you private message as requested.
Thank you
Verified working for me as of 12/13/18
Hi @erwinvanhunen ,
Did you get my message? When is the best time for us to do the screen share. Any help will be appreciated.
I get the latest package from git hub today and when i try to install i was getting the following errors:
I check the tenant and i found that:
SharePoint Starter kit client site package is installed
The Consoto Electronic (.../sites/demo_portal) and Human Resource (.../sites/demo_hr) are created with the default template no site design or content is added to these sites The Human Resource group is created
The site scripts and site designs allow been added to the tenant but not used on the sites
I am also seeing the 403 error for the first time on a ( non-developer ) tenant with 2-factor enabled.
I have successfully run the same script and version of the staterkit.pnp against a dev tenant last week without 2-factor enabled.
Any updates?
I am also getting this issue. I have tried it on multiple tenants.
If I disable MFA for my account and use the -UseWebLogin for the Connect, it still fails with 403.
If i change it to use -Credentials
Thanks
@ozippy you are spot on. I figured out that it was a MFA issue and was waiting for a "breaking glass" account to test in a client's tenant. I have since tested on another tenant with MFA enabled, with MFA then disabled - happy days đ. As shown above, I wasn't able to upload the app to the app store so this appears to be the deal breaker with MFA enabled. Happy to repeat any tests on my tenant if this helps diagnose the problem.
I also have the same problem on a tenant with mfa activated. It works with other pnp-commands but not the Apply-PnPTenantTemplate. Works good on my other developer tenants without mfa activated.
@erwinvanhunen, @VesaJuvonen , from the above it looks the #179 is still open and many of us still cannot deploy to a tenant with a GA with MFA enabled - switch to a GA without MFA and happy days đ . The issues include:
Apply-PnPTenantTemplate
is there anything we can do to help?
@erwinvanhunen
If this helps. Partly in Swedish :-)
PS C:\Repos\sp-starter-kit-dev\provisioning> Get-PnPException Message : The remote server returned an error: (403) Forbidden. Stacktrace : vid System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult) vid System.Threading.Tasks.TaskFactory
1.FromAsyncCoreLogic(IAsyncResult iar, Func2 endFunction, Action
1 endAction, Task1 promise, Boolean requiresSynchronization) --- Slut pÄ stackspÄrningen frÄn föregÄende plats dÀr ett undantag utlöstes --- vid System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() vid System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) vid Microsoft.SharePoint.Client.SPWebRequestExecutor.<ExecuteAsync>d__0.MoveNext() --- Slut pÄ stackspÄrningen frÄn föregÄende plats dÀr ett undantag utlöstes --- vid System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() vid System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) vid Microsoft.SharePoint.Client.ClientContext.<GetFormDigestInfoPrivateAsync>d__b.MoveNext() --- Slut pÄ stackspÄrningen frÄn föregÄende plats dÀr ett undantag utlöstes --- vid System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() vid System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) vid Microsoft.SharePoint.Client.ClientContext.<EnsureFormDigestAsync>d__8.MoveNext() --- Slut pÄ stackspÄrningen frÄn föregÄende plats dÀr ett undantag utlöstes --- vid System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() vid System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) vid Microsoft.SharePoint.Client.ClientContext.<ExecuteQueryAsync>d__4.MoveNext() --- Slut pÄ stackspÄrningen frÄn föregÄende plats dÀr ett undantag utlöstes --- vid System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() vid System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) vid Microsoft.SharePoint.Client.ClientContextExtensions.<ExecuteQueryImplementation>d__7.MoveNext() --- Slut pÄ stackspÄrningen frÄn föregÄende plats dÀr ett undantag utlöstes --- vid System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() vid Microsoft.SharePoint.Client.ClientContextExtensions.<ExecuteQueryImplementation>d__7.MoveNext() --- Slut pÄ stackspÄrningen frÄn föregÄende plats dÀr ett undantag utlöstes --- vid System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() vid System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) vid Microsoft.SharePoint.Client.ClientObjectExtensions.<EnsurePropertiesImplementation>d__8
1.MoveNext()
--- Slut pÄ stackspÄrningen frÄn föregÄende plats dÀr ett undantag utlöstes ---
vid System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
vid System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
vid Microsoft.SharePoint.Client.ClientObjectExtensions.EnsureProperties[T](T clientObject, Expression1[] propertySelector) vid OfficeDevPnP.Core.Framework.Provisioning.ObjectHandlers.TokenParser..ctor(Tenant tenant, ProvisioningHierarchy hierarchy, ProvisioningTemplateApplyingInformation applyingInformation) vid OfficeDevPnP.Core.Framework.Provisioning.ObjectHandlers.SiteToTemplateConversion.ApplyProvisioningHierarchy(Tenant tenant, ProvisioningHierarchy hierarchy, String sequenceId, ProvisioningTemplateApplyingInformation provisioningInfo ) vid SharePointPnP.PowerShell.Commands.Provisioning.Tenant.ApplyTenantTemplate.ExecuteCmdlet() vid SharePointPnP.PowerShell.Commands.PnPCmdlet.ProcessRecord() ScriptLineNumber : 1
I was having this issue, and I was able to temporarily do the following in order to get this to work
@maxali - Thanks for the tip. It works for me. As you mentioned, if MFA is enabled on the Global Admin account it does not work (I only have one licensed user but if you another licensed account that does not have MFA enabled that should work as well). I received the "403 Forbidden" message upon executing the following PS command: Apply-PnPTenantTemplate -Path starterkit.pnp -Parameters @{"SiteUrlPrefix"="demo"}. However, if you use your App Password it worked as expected. Do not use the switch -UseWebLogin instead use CONNECT-PNPONLINE -URL "YOUR URL" -CREDENTIALS (GET-CREDENTIAL) Here are the steps to create your App Password if you haven't done so already- https://support.office.com/en-us/article/create-an-app-password-for-office-365-3e7c860f-bda4-4441-a618-b53953ee1183
Thanks @maxali !
Happy to see it working for you @dsweb329
Here are some steps I use to simplify the process:
Go to AppPasswords link: https://account.activedirectory.windowsazure.com/AppPasswords.aspx
You can then store your password in Windows Credential Manager. Here is PnP command to do it:
Add-PnPStoredCredential -Name mycredential -Username contosoadmin@contoso.onmicrosoft.com -Password (ConvertTo-SecureString -String "mycontosopass" -AsPlainText -Force)
Use the saved credentials whenever you try to login to pnp:
Connect-PnPOnline -Url https://contoso.sharepoint.com -Credentials mycredential
What to do if we can't turn off mfa?
Trying to use without -UseWebLogin produces error this following on my end:
What to do if we can't turn off mfa?
I'm having the same issue with applying theme colours. I just can't authenticate. No, I can't turn off MFA, I'm not in charge of that.
I've tried: 1) Windows credential manager 2) -UseWebLogin 3) -AppId & -AppSecret (app password)
Any other suggestions for being able to authenticate??
Same boat here. Have a client that has to use MFA. We are trying to loop through all sites and apply a template, but we get the same error. I have also tried
Any help would be appreciated.
This issue seems to keep haunting me.
Can deploy the StarterKit via the Provisioning service without any issues with my GA MFA account. So does it create an AppId and Appsecret in the background?
I can connect to modern comms site
Connect-PnPOnline -Url $SourceSiteUrl -UseWebLogin
Then at the site collection level just attempt deploy the bits of the starter kit that support say PnPAlerts
Apply-PnPProvisioningTemplate -path .\my-provisioningTemplate.xml
This deploys lists , Content types and app customizers but even with a Alert item added .. No alerts đą.
Ok, thought I would use the orginal deployment script as I must be missing a dependency.
`Connect-SPOService -Url $adminSiteUrl -UseWebLogin Apply-PnPTenantTemplate -Path starterkit.pnp -Parameters @{"PORTALURL"="/sites/DansFabDemo"; "MARKETINGALIAS"="demomarketing"; "HRALIAS"="demohr" } -Handlers Lists Apply-PnPTenantTemplate : The remote server returned an error: (403) Forbidden. At line:1 char:1
+ CategoryInfo : NotSpecified: (:) [Apply-PnPTenantTemplate], WebException
+ FullyQualifiedErrorId : System.Net.WebException,SharePointPnP.PowerShell.Commands.Provisioning.Tenant.ApplyTenantTemplate
`
Hmmmmm remember this the same account as used in the provisioning service .
My next approach is to configure a MFA exception in the Azure: conditional access as per the above recommendations. I have configured my account as an exclusion but there seems to be a delay before this setting is enabled.
Hi,
I'm trying to install the new SharePoint Starter Kit in my tenant but i'm getting 403 error. Can you anyone please guide me on installing this starter kit.
Category
Expected or Desired Behavior
Expecting to install the SharePoint starter kit in my tenant.
Observed Behavior
I'm getting 'The remote server returned an error: (403) Forbidden.' error when i run the following Powershell command
Note: I'm using a global administrator credential (MSA enabled account) to run the powershell.
Steps to Reproduce
Note: I'm using the 'PnP PowerShell for SharePoint Online' version '3.2.1810.0'
Thank you in advance.